Host:
$ uname -a
Linux sec-xenial-amd64 4.4.0-77-generic #98-Ubuntu SMP Wed Apr 26 08:34:02 UTC
2017 x86_64 x86_64 x86_64 GNU/Linux
$ apparmor_parser -V
AppArmor parser version 2.10.95
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2012 Canonical Ltd.
Container:
root@xen:~# uname -a
Linux xen 4.4.0-77-generic #98-Ubuntu SMP Wed Apr 26 08:34:02 UTC 2017 x86_64
x86_64 x86_64 GNU/Linux
root@xen:~# apparmor_parser -V
AppArmor parser version 2.10.95
Copyright (C) 1999-2008 Novell Inc.
Copyright 2009-2012 Canonical Ltd.
Note, the reproducer is:
1. apt-get install lxd
2. sg lxd
3. lxc launch ubuntu:16.04 xen
4. lxc exec xen -- apt update
5. lxc exec xen -- apt dist-upgrade -y
6. lxc exec xen -- /bin/bash and edit /etc/apparmor.d/abstractions/base to have:
/run/systemd/journal/stdout rw,
7. lxc exec xen -- apt install cups -y
and get the denial. If add to /etc/apparmor.d/usr.sbin.cups-browsed in
the container:
/usr/sbin/cups-browsed r,
then I can (after reloading the profile):
$ lxc exec xen -- /bin/bash
root@xen:~# service cups-browsed stop
root@xen:~# service cups-browsed start
root@xen:~# systemctl status cups-browsed
● cups-browsed.service - Make remote CUPS printers available locally
Loaded: loaded (/lib/systemd/system/cups-browsed.service; enabled; vendor
preset:
Active: active (running) since Thu 2017-05-04 20:06:50 UTC; 10s ago
Main PID: 11697 (cups-browsed)
Tasks: 3
Memory: 2.5M
CPU: 17ms
CGroup: /system.slice/cups-browsed.service
└─11697 /usr/sbin/cups-browsed
May 04 20:06:50 xen systemd[1]: Started Make remote CUPS printers
available locally.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1655982
Title:
cups-browsed fails to start in containers after apparmor stacking
backport to xenial
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1655982/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
